2013/12/3 dan (ddp) <[email protected]>
> On Tue, Dec 3, 2013 at 10:37 AM, Michiel van Es <[email protected]>
> wrote:
> >
> >
> > Op woensdag 20 november 2013 19:24:01 UTC+1 schreef dan (ddpbsd):
> >>
> >> On Wed, Nov 20, 2013 at 9:30 AM, Michiel van Es <[email protected]>
> >> wrote:
> >> > Hello,
> >> >
> >> > i have some basic questions about OSSEC server <-> agent model:
> >> >
> >> > - is it correct that the agents ossec.conf can be as small as:
> >> > <ossec_config>
> >> > <client>
> >> > <server-hostname>OSSEC-SERVERNAME</server-hostname>
> >> > </client>
> >> > </ossec_config>
> >> >
> >> > - I push all checks on the server via /var/ossec/etc/shared/agent.conf
> >> > (the
> >> > file being synched) ?
> >> >
> >>
> >> Most things work just fine in the agent.conf.
> >>
> >> > - If I want to run the netstat command on all nodes via the
> >> > shared/agent.conf on the server that I have to do the following:
> >> >
> >> > 1) change the agent.conf to include:
> >> > <localfile>
> >> > <log_format>full_command</log_format>
> >> > <command>netstat -tan |grep LISTEN |grep -v 127.0.0.1 |
> >> > sort</command>
> >> > </localfile>
> >> > 2) change the /var/ossec/etc/internal_options.conf on all agents that
> >> > include:
> >> > logcollector.remote_commands=1
> >> > 3) restart the server and then all agents ossec ?
> >> >
> >>
> >> Seems correct.
> >>
> >>
> >> > Option 2) seems to cause an extra security risk (like Nagios NRPE): if
> >> > the
> >> > ossec server is compromised all servers can be reached or can be used
> to
> >> > execute command remotely via the ossec server, is that correct?
> >> >
> >>
> >> Correct, and I believe this is why remote commands are disabled by
> >> default.
> >
> >
> > Do you know if there is another way of accomplishing the netstat -tan
> diff
> > on all agents without the need to enable the remote commands on all
> agents?
> > Specify it in the ossec.conf on all agents?
> >
>
> Yes, that configuration belongs in the ossec.conf of the agent.
>
> > I only have:
> >
> > <ossec_config>
> > <client>
> > <server-hostname>OSSEC-SERVERNAME</server-hostname>
> > </client>
> > </ossec_config>
> >
> > What should I need to add the netstat command?
> > Only add the following to the ossec.conf for the agents :
> >
> > <localfile>
> > <log_format>full_command</log_format>
> > <command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
> > </localfile>
> >
> > and can I specify how often this needs to run on the agents? (I want to
> > randomise the time it should run).
> >
>
> Yes, frequency.
>
Ok, would this be sufficient to make it work on the agents?
<ossec_config>
<client>
<server-hostname>OSSEC-SERVER</server-hostname>
</client>
<localfile>
<!-- Frequency that syscheck is executed - default to every 22
hours -->
<frequency>7200</frequency>
<log_format>full_command</log_format>
<command>netstat -tan |grep LISTEN|grep -v 127.0.0.1</command>
</localfile>
</ossec_config>
Or does the <localfile> stanza need to be used with a <syscheck> or
<rootcheck> block?
>
> > Michiel
> >
> >>
> >>
> >> > Thanks for clearing things up :)
> >> >
> >> > Michiel
> >> >
> >> > --
> >> >
> >> > ---
> >> > You received this message because you are subscribed to the Google
> >> > Groups
> >> > "ossec-list" group.
> >> > To unsubscribe from this group and stop receiving emails from it, send
> >> > an
> >> > email to [email protected].
> >> > For more options, visit https://groups.google.com/groups/opt_out.
> >
> > --
> >
> > ---
> > You received this message because you are subscribed to the Google Groups
> > "ossec-list" group.
> > To unsubscribe from this group and stop receiving emails from it, send an
> > email to [email protected].
> > For more options, visit https://groups.google.com/groups/opt_out.
>
> --
>
> ---
> You received this message because you are subscribed to a topic in the
> Google Groups "ossec-list" group.
> To unsubscribe from this topic, visit
> https://groups.google.com/d/topic/ossec-list/t1x6fL7lUV4/unsubscribe.
> To unsubscribe from this group and all its topics, send an email to
> [email protected].
> For more options, visit https://groups.google.com/groups/opt_out.
>
--
---
You received this message because you are subscribed to the Google Groups
"ossec-list" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
For more options, visit https://groups.google.com/groups/opt_out.
